Pretexting
Pretexting is a form of social engineering where
attackers create a fabricated story or scenario to trick a victim into
divulging sensitive information by building trust through a convincing,
personalized narrative, often impersonating someone familiar to the victim,
like a coworker or government official, to gain access to confidential data,
which is considered illegal for financial institutions under the Gramm-Leach-Bliley
Act (GLBA) when used to collect personal financial details.
Deceptive scenario:
Attackers craft a believable, tailored story to
manipulate the victim into providing information they wouldn't usually share.
Trust building:
Unlike phishing, which relies on fear and urgency,
pretexting aims to establish a false sense of trust with the victim.
Targeted approach:
Pretexting attacks often focus on specific
individuals or organizations, gathering background information to craft a
convincing narrative.
Impersonation tactics:
Attackers may impersonate colleagues, delivery personnel,
or government officials to appear legitimate.
Methods of contact:
Pretexting attacks can happen online (email), over the
phone (vishing), or in person.
Example of a pretexting attack:
An attacker emails a company employee pretending to be
from the IT department, stating there's a critical security issue and
requesting their login credentials to "fix the problem."
How to protect against pretexting:
Employee awareness training:
Educate employees about social engineering tactics and
how to identify potential pretexting attempts.
Verification procedures:
Implement strict verification processes for sensitive
information requests, especially when the request seems unusual.
Data privacy policies:
Enforce robust data privacy policies to limit access to
sensitive information.